explaingit

xiaojianbang8888/xiaojianbang-stealth-hook

Analysis updated 2026-05-18

68CAudience · researcherComplexity · 5/5LicenseSetup · hard

TLDR

An Android kernel-level hooking framework that lets security researchers intercept and modify function calls inside apps using hardware breakpoints, without touching app memory.

Mindmap

mindmap
  root((stealth-hook))
    What it does
      Kernel level hooking
      Hardware breakpoints
      No memory patching
    Tech stack
      C
      Android kernel
      ARM64
    Use cases
      Reverse engineering
      Study detection systems
    Audience
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Intercept function calls in an Android app to inspect arguments and return values.

USE CASE 2

Study anti-cheat or anti-fraud protections without triggering memory-scanning detection.

USE CASE 3

Modify a function's return value or arguments at runtime for reverse engineering research.

What is it built with?

CAndroid kernelARM64

How does it compare?

xiaojianbang8888/xiaojianbang-stealth-hookfreertos/freertos-smp-demosnettitude/clr-stomp
Stars686872
LanguageCCC
Last pushed2025-02-16
MaintenanceStale
Setup difficultyhardmoderatehard
Complexity5/53/55/5
Audienceresearcherdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Requires a rooted Android device with a modified kernel via KernelPatch and APatch.

You can use and modify the code, but any distributed derivative work must also be released under the same GPL license.

In plain English

This project is an Android kernel-level hooking framework aimed at security researchers and reverse engineers. Hooking, in this context, means intercepting a function call inside a running app so you can observe what arguments were passed to it, what it returned, or change those values before the original function runs. This tool does that without modifying any memory inside the target process, which is what makes it unusual. Most existing hook tools (the README compares against several well-known ones) work by patching code inside the app's memory or injecting a shared library into the process. Anti-cheat and anti-fraud systems in apps can detect both of those approaches by scanning memory or checking for suspicious library mappings. This framework instead uses a CPU-level feature called hardware breakpoints, which are debug registers built into ARM64 processors. The hook is set up inside the kernel, not in the app's memory, so the app's own scanning code cannot see it. Using the tool requires a rooted Android device running a modified kernel environment called KernelPatch and APatch, which allows loading custom kernel modules. You push two files to the device: the kernel module (a .kpm file) and a command-line tool. From there you tell the tool which process to watch, which shared library inside it to target, and at what byte offset within that library the function starts. The tool then logs every call to that function in real time, showing register values and memory contents. You can also replace the return value, modify arguments before the function executes, or capture only a specific numbered call. The README is written primarily in Chinese. The project is licensed under GPL-2.0-or-later. The author maintains tutorials and technical articles on Bilibili (a Chinese video platform) and a paid knowledge community where full implementation details are published.

Copy-paste prompts

Prompt 1
Explain how hardware breakpoint hooking differs from memory patching for Android reverse engineering.
Prompt 2
Help me set up KernelPatch and APatch to load this kernel module on a rooted device.
Prompt 3
Show me how to target a specific library and byte offset with this hooking tool.
Prompt 4
Walk me through logging register values for a hooked function call in real time.

Frequently asked questions

What is xiaojianbang-stealth-hook?

An Android kernel-level hooking framework that lets security researchers intercept and modify function calls inside apps using hardware breakpoints, without touching app memory.

What language is xiaojianbang-stealth-hook written in?

Mainly C. The stack also includes C, Android kernel, ARM64.

What license does xiaojianbang-stealth-hook use?

You can use and modify the code, but any distributed derivative work must also be released under the same GPL license.

How hard is xiaojianbang-stealth-hook to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is xiaojianbang-stealth-hook for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.